Safe Entitlements

When you provision users to many apps, we use Safe Entitlements to provision users to entitlements (like groups or roles) without impacting existing entitlement (group or role) memberships. Before making changes to users in the app, OneLogin first identifies the users that weren't added by OneLogin and then proceeds with user provisioning, leaving users that weren't added by OneLogin untouched.

The Safe Entitlements feature frees you up to allow two common user creation workflows without having to worry that one will delete users created by the other:

Provision users to groups or roles using OneLogin

Create users and add them to groups or roles directly in the app

For example, as illustrated in the diagram below, let’s say that OneLogin needs to provision four users from Active Directory to the Box group Sales. In Box, OneLogin identifies five users that it did not create that were created directly in Box. With safe entitlements enabled, OneLogin provisions its four Active Directory users to the Sales group, while leaving the five users created directly in Box untouched.

On the other hand, let’s take a look at the results of the same provisioning scenario if the Safe Entitlements feature were not enabled:

In this case, OneLogin provisions its Active Directory users to the Sales group and deletes all other users.

All entitlements that use Safe Entitlements are described as such in the OneLogin documentation.

If you want to disable Safe Entitlements for an application connector that uses it by default, contact support@onelogin.com.